Cybersecurity is a major concern in the context of retirement plans as plan participants’ financial and personally identifiable information (PII) is maintained and shared across multiple parties.

The United States has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections. Subsequently, there are no comprehensive federal regulations governing cybersecurity for retirement plans and their service providers. Whether cybersecurity is an ERISA fiduciary responsibility and whether ERISA preempts state cybersecurity laws remain important unanswered questions.

There is significant room to improve the measurement of security within the retirement vendor community. The Society of Professional Asset-Managers and Record (SPARK) and the ERISA Advisory Council, among others, have made efforts in that direction.

Current regulatory structure

The ‘Safeguard Rule’ of the Gramm-Leach-Bliley Act of 1999 (GLBA) requires that covered U.S. financial institutions safeguard sensitive data (15 U.S.C. 6801). Businesses that are significantly engaged in providing financial products or services, such as banks and brokers, are financial institutions that must safeguard customers’ personal information. This personal information includes nonpublic information that is personally identifiable financial information (known as National Provider Identifier, or NPI) collected by a financial institution. Items such as names, social security numbers, debt and payment history, and account numbers can be NPI when provided by the customer to the financial institution.

There is an understanding under Department of Labor (DOL) Regulation Section 2520.104b-1(c) and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the electronic system it uses keeps participants’ personal information relating to their accounts and benefits confidential.

Both the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have adopted a series of requirements for financial institutions servicing defined contribution plans. Financial service providers are required to develop and implement various security and confidentiality procedures and tools designed to detect fraud and theft. These requirements generally apply to a plan’s consultants, investment advisors and service providers.

However, unlike the HIPAA rules (45 C.F.R. 160, 162, and 164) that apply to health care data for ERISA-covered health care plans, there is no clear ERISA regulatory structure governing the protection of financial information in retirement plans.

Some states have started to create their own laws which typically address breach notifications and private rights of action for any unauthorized disclosures of protected personal information. While several state attorneys general have been active in enforcing these laws in cyberbreach cases, a state-by-state framework remains a patchwork solution.

Fiduciary protection

ERISA imposes a standard of care on plan fiduciaries. One becomes a plan fiduciary either by being named as such, or through actions that result in the exercise of discretionary authority or control with respect to the management of a plan or its assets; providing investment advice for compensation; or having discretionary authority or responsibility in the administration of a plan (ERISA § 3(21)).

ERISA fiduciaries are subject to the prudent expert standard of care and owe a duty of loyalty to the plan participants. A prudent expert acts with the care, skill, and diligence that the circumstances call for a person of like character and like aims to use. Fiduciaries must discharge their duties solely in the interest of plan participants and beneficiaries for the exclusive purpose of providing benefits to those participants and beneficiaries (ERISA § 404).

Much consideration is given as to whether or not the responsibility to address cybersecurity is a fiduciary function. Assuming it is a fiduciary function, while the occurrence of a cybersecurity breach does not necessarily give rise to a fiduciary breach under ERISA, the failure to avoid, mitigate or respond to such a breach may create such exposure. This is because the rules of ERISA fiduciary liability are rooted in a duty to act with prudence. Due to the prolific nature of cyberattacks, it may be difficult to argue that a prudent expert would not consider and react to cyber risks. For this reason, retirement plan administrators and other fiduciaries should be cautioned against viewing protection of plan assets and participant information solely as part of the responsibility of external plan recordkeepers and third party administrators (TPAs). Fiduciaries would be well-served to demonstrate and document the development and implementation of their cyber risk management strategies and due diligence.

It may be difficult to argue that a prudent expert would not consider and react to cyberrisks.

Although ERISA’s preemption of state laws is well-established, the extent to which ERISA preempts state privacy and data laws is currently being litigated. As such, retirement plan sponsors and administrators should not disregard state laws in developing and implementing their cyber risk management strategies.

Misuse of plan participant information – an arising issue?

After almost three years of litigation in the excessive fee case involving Vanderbilt University’s two 403(b) retirement plans the parties recently announced a settlement agreement. One aspect of the settlement has an interesting turn: Vanderbilt must take additional steps to protect confidential participant information.

In addition to excessive fee violations, the plaintiffs in the Vanderbilt case claimed the committee breached its duties of prudence and loyalty and participated in prohibited transactions by allowing TIAA to misuse confidential participant information for its own benefit. The complaint alleged TIAA used its position as a recordkeeper to gain “valuable, private, and sensitive information including participants’ contact information, their choices of investments, the asset size of their accounts, their employment status, age, and proximity to retirement, among other things.”

The plaintiffs argued this information was a plan asset, and the committee did nothing to stop TIAA from using the information to sell its investment products and wealth-management services to participants outside of the plan. The complaint also faulted the committee for not trying to determine the value of TIAA’s access to participants’ information as a marketing benefit.

To address concerns about misuse of participant information, the settlement requires Vanderbilt to contractually prohibit the recordkeeper from using information about participants acquired throughout the course of providing services to the plan to market or sell unrelated products or services to the participants unless a request for such products or services is initiated.

The settlement does not present a court’s legal conclusion as to the status of plan data as a plan asset. So while the settlement does not serve as legal precedent, it could be viewed as acknowledgement of the value of participant data. It is quite possible that similar claims constructed around the value of plan and participant information could surface in future complaints.

Given the focus on the value of personal data in our society, a conservative approach is to treat plan participant financial data as being a plan asset and take prudent steps to protect it as such. We expect that ownership and control of participant data will continue to be an area of intense interest in the retirement industry and could well be the subject of future court decisions.

Plan Sponsors should take a prudent approach

For HR leaders, making prevention the first imperative requires working with corporate IT to put safeguards in place. They should have clear sight into how data is collected, held and classified, who has access, and which laws apply. Investing in enterprise-wide technology is critical to recognizing cyber-attacks and stopping them when they occur. Implementing and periodically testing a disaster recovery plan that includes employee benefits leaves the response team well prepared.

In many cases the greatest vulnerability to cyber theft is the HR team itself. “Phishing” and other social engineering techniques have become very sophisticated, and can easily fool unwary team members into divulging information that give thieves access to sensitive data. One of the best protections is thorough training for both HR staff and employees.

One of the best protections is thorough training for both HR staff and employees.

ERISA does not mandate a written cybersecurity or financial information policy, and there is no one-size-fits-all approach that must be taken. Instead, a plan sponsor must act prudently. The easiest way to show that a plan sponsor has followed a prudent process is to document that process. Creating any prescriptive document beyond those required by ERISA can carry significant challenges and risks, so cybersecurity documents should focus on process items rather than attempting to lay out any hard and fast rules.

The process of assessing security is further complicated by a destructive information cycle. Recordkeepers have significant incentives to reveal only a limited amount of information about their cyber defenses because hackers can learn from extensive revelations and adapt their methods to avoid detection. This means that recordkeepers often rationally respond with only limited information about cyberattacks and security.

Plan sponsors should consider:

  • A process for addressing and fixing cybersecurity issues; for example, identify possible gaps in security in the information sharing process with TPAs and recordkeepers.
  • Ensure that the appropriate level of cyber liability insurance is in place (both the employer and vendors) to help mitigate the damage of any potential attack and be sure that such coverage is as broad as possible.
  • Document the process for moving plan data, maintain a data inventory, retain only data needed and if data elements can be redacted, do so.
  • Delete records that are no longer necessary and make sure providers do the same.
  • Consider retaining an outside firm that specializes in cybersecurity for retirement plans to ensure participants’ data is secure through periodic audits.
  • Thoroughly vet service providers and negotiate contract provisions to lower or mitigate the cost of correcting a possible cyberattack on a plan by allocating responsibility to the vendor.
  • Request a copy of a provider’s Report on Controls SOC-II, an audit report describing an organization’s internal controls and attesting to their strength.
  • Plan fiduciaries should review their providers’ SOC reports and make sure that the reliance that the recordkeeper is placing on the client for their “part” is understood and in place.
  • Implement processes and controls to restrict access to plan systems, applications, data and other sensitive information.
  • Develop a retirement plan specific cybersecurity risk management strategy – in short, have a plan in place to address your response to a breach (including appropriate notices and remediation efforts).
  • Consider requiring 2-factor authentication to access participant accounts.

Plan sponsors should encourage plan participants to:

  • Set up an online account. Without an online account, the participant’s vulnerability to fraud is greatly increased, because it allows hackers to set up new online accounts and gain access to a participant’s funds.
  • Choose strong passwords that are hard to guess.
  • Change their passwords frequently.
  • Store passwords with care – do not leave passwords on desk, table or counter for others to see.
  • Log out completely from any plan related web or intranet site.

Cyber and Fiduciary Insurance

Fiduciary insurance is typically triggered when a lawsuit is filed or regulatory investigation is commenced (or sometimes when a regulator asserts a deficiency), while cyber insurance is often triggered by a data breach. Existing fiduciary insurance may help after a lawsuit is filed, but prior to that point, the plan and/or plan sponsor may be responsible for the costs and mechanics associated with a breach (depending on the terms of the insurance policy). These include finding, hiring, and paying for experts to assess the scope of the breach and develop a mitigation plan, as well as finding the capacity to notify and respond to participant inquiries regarding an incident.

Plan sponsors may wish to seek specific cyber insurance policies or riders to existing policies (some of which are available in the market today) to cover their employee benefit plan(s). Policies that provide benefits upon a breach can offer assistance in locating the appropriate personnel to address each step of the process: from determining the scope of the breach, to notifying the appropriate individuals or entities, to providing resources to mitigate, or making whole any damages suffered as a result of the breach, such as identity monitoring or replacing stolen assets.

Conclusion

The cybersecurity environment for retirement plans is undergoing significant evolution, and this evolution will accelerate. While the precise fiduciary obligations of plan sponsors with respect to plan and participant information are not yet clearly defined, it is clear that multiple efforts are underway to define those obligations and to respond to the increasing need to strengthen protections. Presently, the SEC, the DOL, multiple states, and key industry organizations like SPARK and the ERISA Advisory Council are working to regulate cybersecurity and develop increased protections.

SPARK’s Industry Best Practices for provider data security reporting

CONTROL OBJECTIVE DESCRIPTION SAMPLE CONTROLS
1 Risk Assessment and Treatment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals Technology risk assessments are completed
2 Security Policy Organizational information security policy is established Security policies are approved and communicated
3 Organizational Security Information security roles & responsibilities are coordinated and aligned with internal roles and external partners A CISO or ISO has been assigned
4 Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy IT application records are maintained in a formal system of record
5 Human Resource Security The organization’s personnel and partners are suitable for the roles they are considered for, are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements Personnel are subject to initial and periodic background checks
6 Physical and Environmental Security Physical access to assets is managed and protected Data centers are secured 24x7x365 with on-site physical security controls
7 Communications and Operations Management Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements Networks and systems include standard data security tools such as firewalls, antivirus, intrusion detection, and patch management.
8 Access Control Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Unique, complex passwords are assigned to all employees
9 Information Systems Acquisition Development A system development life cycle (SDLC) to manage systems is implemented; a vulnerability management plan is developed and implemented and vulnerability scans are performed. Regular penetration tests are conducted on customer facing applications
10 Incident and Event Communications Management Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Cyber incident procedures are documented and routinely tested
11 Business Resiliency Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed The organization maintains and tests BCP and DR plans
12 Compliance Legal requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed Policies and procedures are in place to enforce applicable privacy obligations
13 Mobile A formal policy shall be in place and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication facilities A mobile policy is approved and enforced
14 Encryption Data-at-rest is protected and Data-in-transit is protected. External transmissions are encrypted using FIPS approved algorithms
15 Supplier Risk Ensure protection of the organization’s assets that is accessible by suppliers Suppliers are subject to periodic security reviews
16 Cloud Security Ensure protection of the organization’s assets that are stored or processed in cloud environments Cloud providers are subject to periodic security reviews or can provide independent security assessments of their environment

Sources:

Industry Best Practice Data Security Reporting. The SPARK Institute, Inc.
Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective.
Pension Research Council.
Securing a successful HR and benefits technology strategy. Arthur J. Gallagher & Co. Human Capital Insights Report.
Vanderbilt 403(b) excessive fee case settlement goes beyond monetary relief. Arthur J. Gallagher & Co. Retirement Plan Consulting Practice whitepaper.
Cyber Security and Retirement Plans. Retirement Learning Center.

This material was created to provide accurate and reliable information on the subjects covered, but should not be regarded as a complete analysis of these subjects. It is not intended to provide specific legal, tax or other professional advice. The services of an appropriate professional should be sought regarding your individual situation.

Gallagher Benefit Services, Inc., a subsidiary of Arthur J. Gallagher & Co., (Gallagher) is a non-investment firm that provides employee benefit and retirement plan consulting services to employers. Securities may be offered through Kestra Investment Services, LLC, (Kestra IS), member FINRA/SIPC. Investment advisory services may be offered through Kestra Advisory Services, LLC (Kestra AS), an affiliate of Kestra IS. Certain appropriately licensed individuals of Gallagher are registered to offer securities through Kestra IS or investment advisory services through Kestra AS. Neither Kestra IS nor Kestra AS are affiliated with Gallagher. Neither Kestra IS, Kestra AS, Gallagher, their affiliates nor representatives provide accounting, legal or tax advice. GBS/Kestra-CD(327886)(exp092020)